max wrote:
Steve wrote:
---- max <maximilianbianco@xxxxxxxxx> wrote:
2 - The only other sane thing I could advise you too do is bounce
your question off the fedora-selinux list. I would include a
reference to this thread and all the relevant details. The kernel
your running, the policy version (rpm -qa | grep
selinux...setrouble) , setroubleshoot version, the error messages
below , and that you run in permissive and used preupgrade to go
from f8 to f9.
This will ensure that the right people see your message, this list
is also monitored but I think when they get busy fedora-selinux is
likely to still get checked more often than fedora-list.
I was trying to avoid this. I already get several hundred e-mails per
day and I would guess that the selinux list is pretty busy too. Oh
well, I'll just have to deal with it for a while.
I found this in the SELinux list archives:
http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
which appears to say there was a problem but it was fixed in a patch.
I wonder if it has not made it to F9 yet?
Steve
It could be related but they seem to have been running mls policy which
is not the default policy in f9. I think the patch would have made it
into F9 by now, the thread dates back to January and F9 released in May
if memory serves. I think in the end you will have to rebuild the
policy. The only way that I know of to change the handle_unknown=deny to
allow is at policy build time. This is set to allow in F8 and F9. Why
yours is not this way is something I don't understand, unless mine is
screwed up somehow but I doubt it. I have looked at two f9 boxes and an
f8 box. All of them have the handle_unknown=allow. Maybe a third party
could confirm this :
dmesg | grep -i selinux
Use the Force,
Max
Steve,
Try semodule -B . It had completely slipped past me. It will force a
rebuild and reload of policy.
Checkout man semodule.
Max
--
Fortune favors the BOLD
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
